23 October 2017

Make your own malicious WhatsApp

We
can see how
to create a backdoor for Android systems
in my last post but if we want to be more convincing to deploy a
trojan into someone’s mobile, we’ll need to customize the
malicious application. For instance, it would be a good idea to
change the App name to WhatsApp Messenger, Facebook or some other
social network, as well as customize permissions and modify the
default App icon to some more convincing.

Step
1: The first step is to make the
malicious mobile application with the MSFvenom tool from Kali Linux
where we set the IP address and port of the C&C server.

Making the Malicious Apk

Step 2:
Once the malicious application has been created, we have to decompile
the application to get important files, which are going to be
modified to make the application more convincing.

Decompiling the Malicious Apk

Step 3: It’s time to modify the AndroidManifiest.xml file to
customize permissions and avoid warnings in the installation as well
as to change the line highlighted to add icons.

Modifying App Permissions into the AndroidManifiest.xml file

On the
other hand, we can edit the strings.xml file into the “values”
folder, which is into the “res” folder, to modify the application
name for some more convincing. For instance, WhatsApp Messenger Plus.

Modifying the App Name into the strings.xml file

If
we want to customize application icons as well, we’ll have to make
three new folders into the “res” folder and copy inside icon png
files.

We
should have a 72x72 pixels file called icon.png into the
drawable-hdpi-v4 folder.

We
should have a 36x36 pixels file called icon.png into the
drawable-ldpi-v4 folder.

We
should have a 48x48 pixels file called icon.png into the
drawable-mdpi-v4 folder.

Modifying App Icons into the rest folder

It’s
easy to resize images on the net. There are many services to do this.
For instance, resizeimage.net.

Step
4: The next
step is to compile the custom application with the apktool command to
make a new application with all our custom features.Once executed, we’ll see the new
application into the “dist” folder.

Compiling the Malicious App

Step
5: We've
almost done. Android systems don’t allow installing applications
without signing thus we have to sign manually the application with
jarsigner and our keystore.

Signing the Malicious Apk

Step
6: We are ready to
deploy the custom application to someone’s
mobile. As you can see, it’s simple and easy, and we just need
social engineering to get our aim.

Fake WhatsApp Messenger Plus

Once
malicious application is installed into some Android system, we’ll
have to start the listener with multi/handler exploit from
Metasploit, which will be our C&C system to control Android
devices. We can know how to start the listener from my
last post (step 3).

I’m not
responsible for any illegal activity performed by the reader because
this is for education purpose only.